A Long-Overdue Fix for a Decades-Old Problem
For over two decades, web developers have relied on innerHTML—a seemingly innocuous property that lets JavaScript inject raw HTML into a page. It’s fast, convenient, and dangerously permissive. By design, innerHTML parses and executes any script tags, event handlers, or malicious payloads embedded in the string it receives. This has made it a favorite vector for cross-site scripting (XSS) attacks, where attackers slip malicious code into user inputs that later get rendered as HTML. Despite repeated warnings from security researchers, innerHTML remained a staple in front-end development—until now.
Firefox 148 introduces setHTML, a new method that sanitizes input by default before inserting it into the DOM. Unlike innerHTML, which blindly trusts the string it’s given, setHTML strips out potentially dangerous elements like